Chainguard Launches Commercial Builds with Industry Leaders, Setting a New Standard for Verifiable, Zero-Vulnerability Software

Azul, Chainloop, Elastic, Expanso, F5 NGINX, Grafana Labs, Mattermost, Nirmata, Percona, Smallstep, and Tiger Data trust Chainguard for verifiably secure software with zero known CVEs

KIRKLAND, Wash., March 17, 2026 /PRNewswire/ -- Chainguard, the trusted source for open source, today announced the launch of Chainguard Commercial Builds, a new initiative designed to help software vendors and open source providers deliver secure software with zero known vulnerabilities, full provenance, and predictable security outcomes. With this launch, Chainguard now enables customers to secure both the open source and commercial components of their software stack through a single, secure-by-default approach.

Early partners in the program will include commercial software vendors and open source providers, such as Azul, Chainloop, Elastic, Expanso, F5 NGINX, GitLab, Grafana Labs, Mattermost, Nirmata, Percona, Smallstep, and Tiger Data.

Closing the commercial software security gap

Delivering commercial software as container images has become increasingly complex as enterprise expectations for security, compliance, and operational consistency rise, especially as application development shifts in the AI era. Enterprises operate across a range of Linux distributions, hardened golden images, and internal platform standards, making it unrealistic to support every environment directly. Often, customers receive general-purpose base images, like Debian or Ubuntu, and must rebuild, harden, and remediate vulnerabilities themselves to meet regulatory and internal requirements. This can create operational and security burdens that lead to friction, delayed deployments, and inconsistent outcomes.

"Software companies are focused on building the applications their customers depend on. Managing hardened containers and constantly chasing vulnerabilities adds operational burden that distracts from that mission," said Patrick Donahue, SVP of Product, Chainguard. "With Chainguard Commercial Builds, we're working directly with leading software providers to deliver official, verifiable container images without the operational overhead. It's a new model that removes security friction for vendors and customers alike, while extending Chainguard's secure-by-default approach across the entire software stack."

Chainguard Commercial Builds delivers trusted commercial software

Chainguard Commercial Builds extends the company's proven approach for open source containers to commercial ISV software, packaging and maintaining it using hardened, minimal images built with verifiable provenance, FIPS readiness, and defined CVE service-level agreements (SLAs). Through the program, ISVs provide their source code or binaries directly to Chainguard. Chainguard then ingests that software into the AI-native Chainguard Factory and produces secure containers with the same assurances as its open source offerings. Chainguard customers will also receive application-level support for the software from each of the partners in the program.

For ISVs, the Commercial Builds Program enables faster delivery of zero-to-low CVE commercial software, reduced operational overhead and security toil, greater access to regulated and security-sensitive markets, and a potential new revenue stream through revenue sharing. In return, customers gain access to hardened commercial software delivered with full provenance and compliance readiness, enabling wall-to-wall coverage across their stack.

Industry leaders set a new standard for secure-by-default software

Azul, Chainloop, Elastic, Expanso, F5 NGINX, GitLab, Grafana Labs, Mattermost, Nirmata, Percona, Smallstep, and Tiger Data will be initial partners in the Chainguard Commercial Builds program, signaling growing momentum behind a new standard for secure-by-default commercial software.

"Enterprises running Java in containerized environments shouldn't have to choose between hardened containers and trusted commercial support," said George Gould, Senior Vice President, Corporate Development & Partner Alliances, Azul. "With Chainguard Commercial Builds, we're extending our collaboration to deliver Java runtimes that combine hardened, secure-by-default container images with Azul's world-class performance, support and security-only updates, giving customers confidence from development through production."

"Chainloop is the governance layer for modern software factories. As humans and AI agents build software side by side, organizations need one place to define trust and one system to enforce it everywhere," said Daniel Liszka, Co-Founder and CEO, Chainloop. "Partnering with Chainguard means the containers behind Chainloop are trusted by default. That lets us focus on what we do best."

"Elastic empowers organizations to turn massive volumes of data into real-time, actionable insights with Search AI," said Uri Cohen, VP of Product for Platform, Elastic. "Working with Chainguard helps eliminate infrastructure-level compliance complexity, so our customers can focus solely on unlocking value from their data."

"Expanso runs data pipelines directly at the source, allowing organizations to filter, transform, and act on information before it reaches central platforms," said David Aronchick, CEO, Expanso. "Working with Chainguard strengthens the security of the software supply chain behind those pipelines, helping enterprises deploy distributed data infrastructure with confidence."

"As application architectures grow more complex in the AI era, security must be embedded at every layer," said Liam Crilly, Sr. Director, Product Management, F5 NGINX. "Chainguard enhances our ability to deliver secure, production-ready container images that align with our commitment to protecting modern and traditional applications alike. This partnership helps customers accelerate delivery while ensuring the integrity and security of their software supply chain."

"GitLab enables software teams and their AI agents to ship secure software faster through intelligent orchestration," said George Kichukov, Field CTO, GitLab. "This partnership extends that to the infrastructure layer, so customers get production-ready, hardened software without their teams carrying that operational weight."

"Working with Chainguard is the latest step in our commitment to secure-by-default infrastructure," said Ash Mahzari, VP of Corporate Development, Grafana Labs. "By delivering hardened and verified container images, we are equipping our customers with an uncompromising security foundation for the software powering their observability platforms."

"Mattermost supports organizations operating in some of the most security-sensitive environments in the world," said Corey Hulen, CEO of Mattermost Federal, Inc. and Mattermost Co-Founder. "Partnering with Chainguard helps ensure our containers are delivered hardened and production-ready, so customers can focus on secure collaboration without inheriting unnecessary risk."

"Nirmata provides the autonomous, Policy-as-Code governance required to secure modern, AI-driven infrastructure," said Ritesh Patel, VP of Product and Co-Founder, Nirmata. "By delivering our Kyverno-powered enterprise platform through Chainguard Commercial Builds, we're giving customers a frictionless, 0-CVE experience on a secure-by-default foundation."

"Security and reliability are critical for the database infrastructure our customers depend on," said Peter Farkas, CEO, Percona. "Collaborating with Chainguard helps ensure organizations running secure container images of our open source database software can meet modern security and compliance expectations without sacrificing the benefits of open source."

"As certificate lifetimes shrink toward 47 days—and AI agents and MCP toolchains multiply non-human access—manual rotation and long-lived keys won't scale," said Mike Malone, Founder and CEO, Smallstep. "Step-ca is relied on by 78 of the Fortune 100, and with Chainguard Commercial Builds and Step CA Pro we're helping customers reduce supply-chain risk while automating workload identity and mTLS in production."

"Tiger Data, creators of TimescaleDB, enable modern data teams to extend Postgres for time-series and analytics workloads at petabyte scale," said Michael Freedman, Co-founder and CTO, Tiger Data. "Through Chainguard Commercial Builds, we're delivering secure-by-default containers on a foundation developers trust that lets them focus on building the future, not maintaining hardened images."

Learn more about Chainguard Commercial Builds and start building with Chainguard today.

About Chainguard

Chainguard is the trusted source for open source. By delivering hardened, secure, and production-ready builds of all the open source software engineers and AI agents rely on, Chainguard helps organizations build faster, stay compliant, and eliminate risk. Its customers include Fortune 500 enterprises and global industry leaders, including Anduril, Canva, Fortinet, Hewlett Packard Enterprise, OpenAI, Snap Inc., and Snowflake. Chainguard is venture-backed by leading investors, including Amplify, IVP, Kleiner Perkins, Lightspeed Venture Partners, Mantis VC, Redpoint Ventures, Sequoia Capital, and Spark Capital. For more information, visit: https://www.chainguard.dev/

SOURCE Chainguard